Smut lure powers Tumblr phish scam

Security watchers are warning about a massive phishing attack against Tumblr users.

Maliciously constructed web pages designed to look like legitimate Tumblr addresses have been poisoned with links that supposedly offer access to lurid content, providing prospective marks log in to the micro-blogging service.

Users who fall for the ruse surrender their account to hackers, exposing their online friends to follow-up attacks in the process.

The ultimate aim of the attack is unclear, but it could be account credentials are being harvested so that attackers can try to access more sensitive webmail or online banking accounts using the same login credentials.

Net security outfit GFI Software estimates that more than 8,000 have been taken in by the ruse.

It seems that an attack that began with a low-level attack designed to trick users into handing over their login credentials in order to take a test and join the "Tumblr IQ Society" last Thursday has morphed into a more potent and widespread attack using a more salacious lure.

General advice on avoiding phishing scams can be found in a blog post by Eset here. ®